Information Exposure in Undertow Web Server Prior to 2.0.21
CVE-2019-3888

5.3MEDIUM

Key Information:

Vendor
Red Hat
Status
Undertow
Vendor
CVE Published:
12 June 2019

Summary

A vulnerability in the Undertow web server allows for the exposure of plaintext credentials through log files. This occurs when the HttpServerExchange object is logged at ERROR level, resulting in sensitive information being recorded in logs rather than being properly handled. This event is triggered by the Connectors.executeRootHandler method, posing potential risks to security as attackers could access this information if they gain access to log files.

Affected Version(s)

undertow 2.0.21

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3888
x_refsource_CONFIRM
http://www.securityfocus.com/bid/108739
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2019:2439
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.